NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline
WHAT IS INFORMATION SECURITY? Personnel Security Operational Security Contingency Planning & Disaster Recovery Cybersecurity Privacy Physical Security 2
NONFEDERAL ORGANIZATIONS SOME EXAMPLES
The CUI Registry www.archives.gov/cui/registry/category-list.html Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
CategorySubcategory: Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications. Subcategory Description: Relating to the production of a consumer product to include that of a private labeler. Marking: MFC
The Big Picture Plan for the protection of CUI Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors DFAR clause 252.204.7008 requires compliance to NIST Special Publication 800-171
PURPOSE WHEN THE CUI IS RESIDENT IN NONFEDERAL INFORMATION SYSTEMS AND ORGANIZATIONS. WHEN THE INFORMATION SYSTEMS WHERE THE CUI RESIDES ARE NOT OPERATED BY ORGANIZATIONS ON BEHALF OF THE FEDERAL GOVERNMENT. WHERE THE CUI DOES NOT HAVE SPECIFIC SAFEGUARDING REQUIREMENTS PRESCRIBED BY THE AUTHORIZING LAW, REGULATION, OR GOVERNMENTWIDE POLICY FOR THE CUI CATEGORY OR SUBCATEGORY LISTED IN THE CUI REGISTRY.
APPLICABILITY THE REQUIREMENTS ARE INTENDED FOR USE BY FEDERAL AGENCIES IN CONTRACTUAL VEHICLES OR OTHER AGREEMENTS ESTABLISHED BETWEEN THOSE AGENCIES AND NONFEDERAL ORGANIZATIONS.
ASSUMPTIONS
NIST SPECIAL PUBLICATION 800-171 REV 1 DECEMBER 2016 HTTP://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-171R1.PDF
Access Control. Audit and Accountability. Awareness and Training. Configuration Management. Identification and Authentication. Incident Response. SECURITY Maintenance. REQUIREMENTS 14 FAMILIES Media Protection. Physical Protection. Personnel Security. Risk Assessment. Security Assessment. System and Communications Protection System and Information Integrity.
STRUCTURE OF SECURITY REQUIREMENTS SECURITY REQUIREMENTS HAVE A WELL-DEFINED STRUCTURE THAT CONSISTS OF THE FOLLOWING COMPONENTS: BASIC SECURITY REQUIREMENTS SECTION. DERIVED SECURITY REQUIREMENTS SECTION.
Security Requirement Configuration Management Example Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems. Derived Security Requirements: 3.4.3 Track, review, approve/disapprove, and audit changes to information systems. 3.4.4 Analyze the security impact of changes prior to implementation. 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 3.4.5
Security Requirement Configuration Management Example 3.4.1 Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Meeting the Requirements: Develops, documents and maintains a current baseline configuration of the information system Configuration control in place
Security Requirement Configuration Management Example 3.4.1 Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Meeting the Requirements: Configuration management policy; procedures and plan. Documentation for Enterprise architecture or information system design. Information system configuration settings and associated documentation. Change control records. Personnel with configuration management responsibilities. System/network administrator.
IF THE OFFEROR PROPOSES TO VARY FROM ANY OF THE SECURITY REQUIREMENTS SPECIFIED BY NIST SP 800171 THAT ARE IN EFFECT AT THE TIME THE SOLICITATION IS ISSUED OR AS AUTHORIZED BY THE CONTRACTING OFFICER, THE OFFEROR SHALL SUBMIT TO THE CONTRACTING OFFICER, FOR CONSIDERATION BY THE DOD CHIEF INFORMATION OFFICER (CIO), A WRITTEN EXPLANATION OF (A) WHY A PARTICULAR SECURITY REQUIREMENT IS NOT APPLICABLE; OR (B) HOW AN ALTERNATIVE BUT EQUALLY EFFECTIVE, SECURITY MEASURE IS USED TO COMPENSATE FOR THE INABILITY TO SATISFY A PARTICULAR REQUIREMENT AND ACHIEVE EQUIVALENT PROTECTION.